Secure the Groove Server Relay installation

Groove Server 2010

Applies to: Groove Server 2010

Topic Last Modified: 2010-01-15

This article provides information and procedures about how to improve the security of the Groove Server Relay installation. Groove Server 2010 Relay installs with Windows Firewall On and with exceptions as described in Plan port configurations for Groove Server. For added security, locate your Groove Server Relay installations in a perimeter network and restrict access to the relay administrative port as discussed in this section.

Groove Server Relay uses two administrative listener ports: port 8009 with proprietary SOAP security for Relay server management transmissions from Groove Server Manager, and port 8010 with Secure Socket Layer (SSL) encryption for browser access to the Groove Server Relay administrative Web interface. By default, both ports are bound to all network adapters, allowing Manager server access over a public network and remote access to Relay server administrative Web pages. Binding these ports to separate network adapters (NICs) so that Manager server access occurs over a private administrative network is a recommended security measure. The Relay server provides two registry string values that you can use for these port bindings, as described in the following procedure.

To assign the SOAP port 8009 to a separate protected network adapter so that Groove Server Manager contacts the Relay server over a private protected network, use the registry editor to define a registry string value name for port 8009/TCP as follows:

Set the data string value to the IPv4 or IPv6 address of the interface to which you want to restrict the administrative port. Use the following table of sample registry entries for guidance:

Note

Port 8009/TCP should be configured for restricted access by Groove Server Manager.

System

Name

Type

Data

IPv4

AdminGrooveSOAPInterface

REF_SZ

192.128.1.1

IPv6

AdminGrooveSOAPInterface

REF_SZ

1010:3898:3030:1001:f935:f4f2:ee6a:0056

To assign the SSL port 8010 to a separate network adapter so that trusted administrators can browse to Groove Server Relay administrative Web pages, define a registry string value name for port 8010/TCP as follows:

Right-click the port 8010 string value name: AdminInterface.

Set the string value to the IPv4 or IPv6 address of the interface to which you want to restrict the administrative port. Use the following table of sample registry entries for guidance.

Note

Port 8010/TCP should be configured for internal access by administrators.

System

Name

Type

Data

IPv4

AdminInterface

REF_SZ

192.128.1.2

IPv6

AdminInterface

REF_SZ

1010:3898:3030:1001:f935:f4f2:ee6a:0057

For the registry edits to take effect, update the Administrative settings in the Groove Relay Control Panel item as follows: